Donut domains - efficient non-convex domains for abstract interpretation

ABSTRACT

A computer implemented program analysis method employing a set of new abstract domains applicable to non-convex invarients. The method analyzes programs statically using abstract interpretation while advantageously considering non-convex structures and in particular those situations in which an internal region of an unreachable state exists within a larger region of reachable states. The method employs a new set of non-convex domains (donut domains) based upon the notion of an outer convex region of reachable states (Domain D1) and an inner region of unreachable states (Domain D2) which advantageously permits capture of non-convex properties by using convex regions and operations.

CROSS REFERENCE TO RELATED APPLICATION

This application claims the benefit of U.S. Provisional Patent Application Ser. No. 61/466,522 filed Mar. 23, 2011 which is incorporated by reference as if set forth at length herein.

TECHNICAL FIELD

This disclosure relates generally to the field of computer software and in particular to a method of program analysis using abstract interpretation which advantageously expresses non-convex properties.

BACKGROUND

Efficient program analysis using abstract interpretation typically uses convex domains such as intervals, octagons, zonotopes or polyhedral. However, certain properties of interest require reasoning about non-convex structures. Accordingly, program analysis methods that address these non-convex structures would represent an advance in the art.

SUMMARY

An advance in the art is made according to an aspect of the present disclosure directed a computer implemented method of program analysis employing a set of new non-convex domains based on the notion of an outer convex region of reachable states and an inner region of unreachable states. Advantageously, this allows the capture of non-convex properties by reasoning completely using convex regions and operations.

In sharp contrast to the prior art, methods according to the present disclosure will over-approximate reachable states of a program under analysis and under-approximate unreachable states of that program. In that manner, a more precise analysis is performed.

BRIEF DESCRIPTION OF THE DRAWING

A more complete understanding of the present disclosure may be realized by reference to the accompanying drawings in which:

FIG. 1 shows a program excerpt providing a motivating example according to an aspect of the present disclosure;

FIG. 2 is a schematic diagram depicting the concretization of a typical non-convex abstract object according to an aspect of the present disclosure;

FIG. 3 is a schematic diagram depicting the relaxation of the hole (0,0) to x≧0 according to an aspect of the present disclosure;

FIG. 4 is a schematic diagram depicting join and meet operators using interval component domains showing (a) two initial abstract objects; (b) concrete union of the objects; (c) abstract object representing ∪_(1/2); (d) the concrete intersection of the objects; and 9 e) the abstract object representing ∩_(1/2), according to an aspect of the present disclosure;

FIG. 5 shows the evaluation of a linear expression [[x₂<−x₁+x₂]]#_(1/2) according to an aspect of the present disclosure;

FIG. 6 shows the evaluation, of a non-linear expression [[x₂<−x₁×x21/2# according to an aspect of the present disclosure;

FIG. 7 shows the under-approximation of randomly generated polyhedral with octagons according to an aspect of the present disclosure;

FIG. 8 is a schematic block diagram depicting a high-level depiction of abstract interpretation based upon program analysis according to an aspect of the present disclosure;

FIG. 9 is a schematic block diagram depicting several exemplary operations performed on donut domains according to an aspect of the present disclosure; and

FIG. 10 shows a block diagram of an exemplary computer system on which methods according to the present disclosure may be implemented.

DETAILED DESCRIPTION

The following merely illustrates the principles of the disclosure. It will thus be appreciated that those skilled in the art will be able to devise various arrangements which, although not explicitly described or shown herein, embody the principles of the disclosure and are included within its spirit and scope.

Furthermore, all examples and conditional language recited herein are principally intended expressly to be only for pedagogical purposes to aid the reader in understanding the principles of the disclosure and the concepts contributed by the inventor(s) to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions.

Moreover, all statements herein reciting principles, aspects, and embodiments of the disclosure, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently-known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.

Thus, for example, it will be appreciated by those skilled in the art that the diagrams herein represent conceptual views of illustrative structures embodying the principles of the invention.

In addition, it will be appreciated by those skilled in art that any flow charts, flow diagrams, state transition diagrams, pseudocode, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.

In the claims hereof any element expressed as a means for performing a specified function is intended to encompass any way of performing that function including, for example, a) a combination of circuit elements which performs that function or b) software in any form, including, therefore, firmware, microcode or the like, combined with appropriate circuitry for executing that software to perform the function. The invention as defined by such claims resides in the fact that the functionalities provided by the various recited means are combined and brought together in the manner which the claims call for. Applicant thus regards any means which can provide those functionalities as equivalent as those shown herein. Finally, and unless otherwise explicitly specified herein, the drawings are not drawn to scale.

Thus, for example, it will be appreciated by those skilled in the art that the diagrams herein represent conceptual views of illustrative structures embodying the principles of the disclosure.

By way of some additional background, it is noted that prior approach to non-convex reasoning is to utilize powerset domains of elementary convex domains. In general, it has proved to be difficult to provide satisfactory improvements over elementary convex domains with powerset domains while maintaining small enough performance degradation. Furthermore, it would be difficult to maintain enough disjunctions in the powerset depending on the particular non-convex shape being approximated. Note, however, that the recently proposed BOXES domain can potentially represent exponentially many interval constraints compactly. It utilizes a BDD-like extension to elementary range constraints called LDD. However, we are interested in relational domains such as octagons, zonotopes or polyhedra as well.

Additional non-convex domains based on congruence analysis (either linear or trapezoid have been developed. Such domains capture a congruence relation that variables satisfy and are suitable for the analysis of indexes of arrays for instance. Recent work by Chen et al. considered a polyhedral abstract domain with interval coefficients. This abstract domain has the ability to express certain non-convex invariants. For example, in this domain some multiplications can be evaluated precisely. Other interesting non-convex abstract domains were introduced to capture specific invariants such as min-max invariants and quadratic templates.

We address a different type of non-convexity commonly occurring in software, which relates to small sub-regions of instability within a normal operating (convex) region of interest. The non-convex region of values that may cause the bug is (under-)approximated using a convex inner region (or hole) that is subtracted from a convex outer region. We call this representation donut domains. Our approach relies on the usual operations defined on (convex) sub-domains, except for the need to compute under-approximations in the inner domain. The donut domains give a convenient framework to reason about disequality constraints in abstract domains such as in. It can be considered as a generalization of the work on signed types domain introduced in. There, we start with a finite set of types, and allow a set-minus operation only from the universal set.

Under-Approximations of Polyhedral

Under-approximations have been utilized for applications such as test vector generation and counterexample generation, by providing must-reach sets. Bemporad et al. introduced the notion of inner-approximations of polyhedra using intervals in. In, polyhedra are under-approximated for test vector generation of Simulink/Stateflow models using a bounded vertex representation (BVR). Goubault and Putot describe a method to compute an under-approximating zonotope using modal intervals for non-linear operations.

Herein, we describe a technique to find under-approximations of polyhedra based on a fixed template. We first re-formulate the problem by introducing an auxiliary matrix. This matrix represents the fact that we are looking for an inner polyhedral object of a particular shape. Using this auxiliary matrix re-formulation, we can then use standard convex analysis techniques to characterize an under-approximations of polyhedra.

MOTIVATING EXAMPLE

FIG. 1 highlights a code snippet taken froth XTIDE. The XTIDE package provides accurate tide and current predictions in a number of formats based on algorithms. Similar patterns may exist in controller-related software to avoid regions of controller or numerical instability.

After the step marked initializations, (dx, dy) could be any point in

² except the origin (0,0). In our analysis, this particular point is kept and propagated forward as a “hole”. After the i f-statement, the set of reachable values is: (dy>dx

dy>−dx)

(−dy>dx

−dy>−dx). The above region is non-convex; therefore, a classical abstract domain will end up at this control point with T for both variables. Moreover, here, the interpretation of the strict inequality of the test is required to prove that dx≠0. The else case is even harder: in addition to the non-convexity of the set of possible values, one needs to consider the full-zero-test together with the negation of |dy|>|dx|, to prove that the division by dy is safe.

Donut Abstract Domains

In this section we introduce donut domains, and define the operation on donut domains based on operations in the component domains.

Lattice Structure

Let (

₁, ≦₁, ∪₁, ∩₁, ⊥₁, T₁, γ₁) and (

₂, ≦₂, ∪₂, ∩₂, ⊥₂, T₂, γ₂) denote two classical numerical abstract domains, where ≦*, ∪*, ∩*, ⊥*, T*, γ* denote the partial order, the join and meet operations, the bottom and top elements and the concretization function of the classical abstract domain for *∈ {1,2}, respectively.

In this disclosure, we extend a given abstract domain with an under-approximation operator {hacek over (α)}, such that for any concrete object X, we have y ∘{hacek over (α)}(X) ⊂X. An abstract object X#_(1\2) of the domain

₁\

₂ is defined by a pair of objects (X#₁, X#₂), such that X#₁ ∈

₁ an X#₂ ∈

₂. The object X#_(1\2) abstracts the set of possible values reached by the variables as follows:

-   -   The object X#₁ ∈         ₁ represents an over-approximation of the set of reachable         values; and     -   The object X#₂ ∈         ₂ represents an under-approximation of the set of unreachable         values (usually within γ₁(X#₁)).

The concretization function is defined as follows.

$\gamma_{1{\backslash 2}}\overset{def}{=}{{\gamma_{1{\backslash 2}}\left( {X_{1}^{\#},X_{2}^{\#}} \right)}\overset{def}{=}{{{\underset{.}{\gamma}}_{1}\left( X_{1}^{\#} \right)}\backslash {{\gamma_{2}\left( X_{2}^{\#} \right)}.}}}$

FIG. 2 depicts a concretization of a typical donut object where the domain

₁ is the affine sets domain and

₂ is the octagons domain.

At this point, one should keep in mind the implicit set of unreachable values implied by γ₁(X#₁)—namely

^(p)\γ₁(X#₁) denoted in the sequel by γ ₁(X#₁). Indeed, the set of unreachable values is actually γ _(X#) ₁) ∩ γ₂(X#₂). As said earlier, γ₂(X#₂) is a (convex) under-approximation of the set of unreachable values. The fact that the intersection γ₁ (X#₁) ∩ γ₂ (X#₂) is not empty permits to encode a hole inside γ₁ (X#₁) (see FIG. 2).

Interval Concretization

The interval concretization of the variable x_(k), 1≦k≦p, denoted by [x_(k)], is defined by π_(k) (γ₁ (X#₁)\γ₂ (X#₂)), where π_(k) denotes the orthogonal projection of a given set onto dimension k. Note that [x_(k)]⊃π_(k)(γ₁(X#₁))\π_(k)(γ₂(X#₂)). For instance in ([−2,2]×[−2,2], [−1,1]×[−28 , +∞]) , we have [x₂]=[−2,2], whereas [−2,2]\[−∞, +∞]=Ø.

We embed

₁\

₂ with a binary relation and prove that it is a pre-order.

Definition 1. Given X#₁, Y#₁ ∈

₁ and X#₂, Y#₂ ∈

₂, we say that (X#₁, X#₂) is less than or equal to (Y#₁, Y#₂) denoted by (X#₁, X#₂)≦_(1\2) (Y#₁, Y#₂) if and only if X#₁≦₁ Y#₁ and

γ ₁(X#₁)∪γ₂(X#₂)⊃ γ ₁(Y#₁)∪γ₂(Y#₂).   (1)

Proposition 1. The binary relation ≦_(1\2) is a pre-order over

₁\

₂. It defines an equivalence relation ˜ defined by (X#₁, X#₂)≦_(1\2) (Y#₁, Y#₂) and (Y#₁, Y#₂)≦_(1\2) (X#₁, X#₂) and characterized by X#₁=Y#₁ (X#₁≦₁ Y#₁ and Y#₁≦₁ X#₁), γ₂(X#₂)⊂γ₂(Y#₂)∪ γ ₁(Y#₁) and γ₂(Y#₂₂)⊂γ₂(X#₂∪ γ ₁(X#₁). We reuse the symbol ≦_(1\2) to also denote the partial order quotiented by the equivalence relation ˜.

With respect to ≦_(1\2), we have

(⊥₁, ⊥₂)˜(⊥₁ , T ₂)≦_(1\2) (T ₁ , T ₂)≦_(1\2) (T ₁, ⊥₂);

therefore, we define the bottom and top elements of

₁\

₂ by

⊥_(1\2) def=(⊥₁, −) T _(1\2) def=(T ₁, ⊥₂).

Decidability of the Order

Despite the non-convexity of γ, the equivalence class introduced in Proposition 1 suggests particular representatives of objects (X#₁, X#₂) which are easily comparable. Indeed, y is no longer involved when the concretization of the hole X#₂ is included in the concretization of X#₁. Moreover, observe that the definition of the order relation ≦_(1\2) allows comparing two abstract objects having their holes in two different abstract domains, since only the concretization functions are involved in (1).

Proposition 2. Let (X#₁, X#₂) and (Y#₁, Y#₂) be two elements of

₁\

₂ such that γ₂ (X#₂)⊂γ₁(X#₁), and γ₂(Y#₂)⊂γ₁(Y#₁). Therefore, (X#₁, X#₂)≦_(1\2) (Y#₁, Y#₂) if and only if X#₁≦₁ Y#₁ and γ₁(X#₁)∩γ₂ (Y#₂)⊂γ₂(X#₂).

The condition γ₁(X#₁)∩γ₂(Y#₂)⊂γ₂(X#₂), can be checked in the abstract world rather than in the concrete domain up to the use of an expressive enough domain for both

₁₂ and

₁: for instance a box and an octagon can be seen as special polyhedra and the meet operation of the Polyhedra abstract domain can be used.

Let

denote the abstract representation in the Polyhedra domain of the abstract object X#₁, that is

(γ₁(X#₁)). To decide whether (X#₁, X#₂) is less than or equal to (Y#₁, Y#₂), we proceed as follows:

-   -   1. First, we “upgrade” X#₂and Y#₂ to the Polyhedra domain. We         denote by (X#₁,         ) and (Y#₁,         ) the newly obtained abstract objects.     -   2. Then, we derive our particular representatives, namely (X#₁,         ∩_(p)         ) for (X#₁,         ) and (Y#₁,         ) for (Y#₁,         ) (∩_(p) being the meet operation in the Polyhedra domain).     -   3. Finally, we use Proposition 2 by checking for the         inequalities X#₁≦₁ Y#₁ and

Meet and Join Operations

We start with a simple example to clarify the intuition behind the formal definition given later.

Example 1. Consider a one-dimensional donut domain where

₁ and

₂ are Intervals domains. Assume we are interested in computing

-   -   ([0,3], [1,2])∪([1,6], [2,5]).

The above join yields the following union of four intervals: [0,1)∪(2,3]∪[1,2)∪(5,6], which can be combined without loss of precision into [0,2)∪(2,3]∪(5,6], or equivalently

-   -   [0,6]\([2]∪(3,5]).

What the example suggests is that when computing a join of two elements (X#₁, X#₂) and (Y#₁, Y#₂), we often end up with multiple (not necessarily convex nor connex) holes defined by (γ₂(X#₂)∪ γ ₁(X#₁))∩(γ₂(Y#₂)∪ γ ₁(Y#₁)). By distributing the meet over the join, we obtain:

-   -   (γ₂(X#₂)∩γ₂(Y#₂))∪(γ₂(X#₂)∩ γ ₁(Y#₁))∪(γ₂(Y#₂)∩ γ ₁(X#₁))∪( γ         ₁(X#₁)∩ γ ₁(Y#₁)).

An under-approximation of the final element γ ₁(X#₁)∩ γ ₁(Y#₁) is implicit since the over-approximation of reachable values is given by X#₁ ∪₁ Y#₁. Thus, only the intersection of the first Three sets will be considered (which is sound). In our example, γ([1,6])=[−∞, 1)∪(6, +∞], and γ([0,3])=[−∞, 0)∪(3, +∞], this gives [1,2]∩[2,5]=[2,2] and

[1,2]∪([−∞, 1)∪(6, +∞])=ø

[2,5]∩([−∞, 0)∪(3, +∞])=(3,5].

As noted previously, the intersection ([−∞, 1)∪(6, +∞])∩([−∞, 0)∪(3, +∞]) is implicit since it is covered by γ ₁([0,3]∪[1,6]). We now formalize the join operator:

${{\left( {X_{1}^{\#},X_{2}^{\#}} \right)\bigcup_{1{\backslash 2}}\left( {Y_{1}^{\#},Y_{2}^{\#}} \right)}\overset{def}{=}\left( {{X_{1}^{\#}\bigcup_{1}Y_{1}^{\#}},{\left( {X_{1}^{\#},X_{2}^{\#}} \right)\bigcap\limits^{\Cup}\left( {Y_{1}^{\#},Y_{2}^{\#}} \right)}} \right)},$

where ∩ is defined by:

${\left( {X_{1}^{\sharp},X_{2}^{\sharp}} \right)\bigcap\limits^{˘}\left( {Y_{1}^{\sharp},Y_{2}^{\sharp}} \right)}\overset{def}{=}{{\overset{˘}{\alpha}\left( {\left( {{\gamma_{2}\left( X_{2}^{\sharp} \right)}\bigcap{\gamma_{2}\left( Y_{2}^{\sharp} \right)}} \right)\bigcup\left( {{\gamma_{2}\left( X_{2}^{\sharp} \right)}\bigcap{{\overset{\_}{\gamma}}_{1}\left( Y_{1}^{\sharp} \right)}} \right)\bigcup\left( {{\gamma_{2}\left( Y_{2}^{\sharp} \right)}\bigcap{{\overset{\_}{\gamma}}_{1}\left( X_{1}^{\sharp} \right)}} \right)} \right)}.}$

We may perform heuristic checks to prioritize which hole (if many) to keep, which may also depend on the under-approximation abstraction function {hacek over (α)}. For instance we may choose an inner approximation (if working with closed domains) of the hole (3,5] instead of choosing the hole [2,2]. Notice also that we have a straightforward fallback operator {hacek over (∩)}_(fb), that involves only X#₂ and Y#₂:

${X_{2}^{\sharp}{\bigcap\limits^{˘}}_{fb}Y_{2}^{\sharp}}\overset{def}{=}{{\overset{˘}{\alpha}\left( {{\gamma_{2}\left( X_{2}^{\sharp} \right)}\bigcap{\gamma_{2}\left( Y_{2}^{\sharp} \right)}} \right)}.}$

The operator is sound with respect to under-approximation. It focuses only on a particular hole, namely γ₂(X#₂)∩γ₂(Y#₂), instead of considering all possibilities. In our current implementation, we use this fallback operator in a smart manner: before computing the meet of both holes, we relax, whenever possible, in a convex way, these holes. This relaxation is performed by removing all constraints that could be removed while preserving γ₁(X#₁). For instance, if the hole is the point (0,0), and the abstraction of X#₁ is given by the conjunction γ≧x{circumflex over (0)}−γ≧x, then the hole (0,0) is relaxed to x≧0 (see FIG. 3).

For the meet operation, we proceed in a similar manner. If the domain

₂ is closed under the meet operation (almost all polyhedra-like abstract domains), it is possible to replace {hacek over (α)} by α, and {hacek over (∩)}_(fb) by ∩₂. In our example, the fallback operator gives the box [2,2].

The meet operator ∩_(1\2) is defined in a similar manner:

${\left( {X_{1}^{\sharp},X_{2}^{\sharp}} \right)\bigcap_{1{\backslash 2}}\left( {Y_{1}^{\sharp},Y_{2}^{\sharp}} \right)}\overset{def}{=}{\left( {{X_{1}^{\sharp}\bigcap_{1}Y_{1}^{\sharp}},{X_{2}^{\sharp}\bigcup\limits^{˘}Y_{2}^{\sharp}}} \right)\mspace{14mu} {where}}$ ${X_{2}^{\sharp}\bigcup\limits^{˘}Y_{2}^{\sharp}}\overset{def}{=}{{{\overset{˘}{\alpha}}_{2}\left( {{\gamma_{2}\left( X_{2}^{\sharp} \right)}\bigcup{\gamma_{2}\left( Y_{2}^{\sharp} \right)}} \right)}.}$

We deliberately omit γ ₁(X#₁)∪ γ ₁(Y#₁) in the above definition of {hacek over (∪)} because it is implicit from X#₁∩₁Y#₁. If the domain

₂ is closed under the join operation, then {hacek over (∪)} is exactly equal to ∪₂. Very often, however, the join operation leads to an over-approximation. Therefore the detection of an exact join as in is of particular interest. In our current implementation, if X#₂ and Y#₂ overlap, we soundly extend, in a convex way, the non-empty intersection. For instance, if X#₂=[−2,1]×[−1,1] and Y#₂=[−1,2]×[−2,0], the intersection gives the box [−1,1]×[−1,0], and the extension we compute gives the box [−2,2]×[−1,0]. If, however, the holes are disjoint, we randomly pick up one of them.

Example 2. Consider 2 -dim simple abstract objects. FIG. 4 shows a graphical representation of two overlapping objects. The remaining sub-figures highlight some of the pertinent steps with respect to the computation of ∪_(1\2) and ∩_(1\2) for such overlapping objects.

Loop Widening

When processing loop elements in abstract interpretation, we may require widening to guarantee termination of the analysis. For donut domains, we extend the widening operations defined on the component abstract domains. We use the pair-wise definition of widening operators ∇. We thus define widening of donut domains as:

(X# ₁ , X# ₂)∇_(1\2)(Y# ₁ , Y# ₂)=(X# ₁∇₁ Y# ₁ ,X# ₂∩₂ Y# ₂).

We use the standard widening operator ∇₁ for abstract domain

₁. Similarly, we use the standard meet operator ∩₂ of abstract domain

₂ for the inner region, which ensures the soundness of ∇_(1\2). The convergence of the first component is guaranteed by the widening operator ∇₁. The convergence of the second component needs however more attention.

Note that the simple use of narrowing operator of

₂ is unsound as it may give a donut object which is not an upper bound. To ensure the termination we add a parameter k which will encode the maximal number of allowed iterations. If the donut object does not converge within those k iterations, the hole component is reduced to ⊥₂. Note that the use of the narrowing operator of

₂ instead of ∩₂ does not give in general an upper bound of (X#₁, X#₂) and (Y#₁, Y#₂).

Interpretation of Tests

The ability to express holes allows us to better handle a wide range of non-convex tests such as the ≠ test or the strict inequality test. We start with classical tests. For ⋄∈ {=, ≦}:

${{{〚{x_{k} \diamond 0}〛}^{\sharp}\left( {X_{1}^{\sharp},X_{2}^{\sharp}} \right)}\overset{def}{=}\left( {{{〚{x_{k} \diamond 0}〛}_{1}^{\sharp}\left( X_{1}^{\sharp} \right)},{{〚{x_{k} \diamond 0}〛}_{1}^{\natural}\left( X_{2}^{\sharp} \right)}} \right)},$

where

${〚 \cdot 〛}_{2}^{\natural}\overset{def}{=}{{{\overset{˘}{\alpha}}_{2} \circ {〚 \cdot 〛}_{2}}.}$

Such under-approximation is required so that the newly computed (exact) hole can be encoded in

₂. Therefore, if the exact hole fits naturally in

₂ (say we have a linear constraint and

₂ is the Polyhedra domain), there is no need to under-approximate ([[·]]#₂=[[·]]#₂). In Section 3, we detail how we compute such an under-approximation, whenever needed. If no algorithm is available for the under-approximation, we keep the object n unchanged, which is sound.

The non-equality test is defined as follows:

${{〚{x_{k} \neq 0}〛}^{\sharp}\left( {X_{1}^{\sharp},X_{2}^{\sharp}} \right)}\overset{def}{=}{\left( {{{〚{x_{k} \neq 0}〛}^{\sharp}\left( X_{1}^{\sharp} \right)},{\overset{˘}{\alpha}\left( {{{\gamma_{2}\left( X_{2}^{\sharp} \right)}\bigcup{〚{x_{k} = 0}〛}}\top_{2}} \right)}} \right).}$

Although [[χ_(k)≠0]]#(X#₁) is interpreted as the identity function in standard implementations, nothing prevents the use of any available enhancement proposed by the used analyzer. For the hole, we compute the join of the new hole implied by the constraint x_(k)≠0 together with the already existing hole X#₂. If holes γ₂(X#₂) and [[χ_(k)=0]]T₂ do not overlap, we discard X#₂. In fact, very often (as will be seen in experiments), the hole induced by the constraint x_(k)≠0 is mandatory in order to prove the safety of subsequent computations.

Finally, our approach offers, for free, an interesting abstraction of the strict inequality tests. A comparison with Not Necessarily Closed domains is planned as future work.

${{〚{x_{k} < 0}〛}^{\sharp}\left( {X_{1}^{\sharp},X_{2}^{\sharp}} \right)}\overset{def}{=}{{{〚{x_{k} \neq 0}〛}^{\sharp} \circ {〚{x_{k} \leq 0}〛}^{\sharp}}{\left( {X_{1}^{\sharp},X_{2}^{\sharp}} \right).}}$

Abstract Assignment

We define in this section the abstraction of the assignment transfer function in

₁\

₂. We first give an abstraction of the forget transfer function (non-deterministic assignment):

${{{〚\left. x_{k}\leftarrow? \right.〛}_{1{\backslash 2}}^{\sharp}\left( {X_{1}^{\sharp},X_{2}^{\sharp}} \right)}\overset{def}{=}\left( {Y_{1}^{\sharp},Y_{2}^{\sharp}} \right)},{where}$ $Y_{1}^{\sharp}\overset{def}{=}{{〚\left. x_{k}\leftarrow? \right.〛}_{1}^{\sharp}\left( X_{1}^{\sharp} \right)}$ $Y_{2}^{\sharp}\overset{def}{=}\left\{ \begin{matrix} {{〚\left. x_{k}\leftarrow? \right.〛}_{2}^{\sharp}\left( X_{2}^{\sharp} \right)} & {{{{if}\mspace{14mu} {\gamma_{1}\left( X_{1}^{\sharp} \right)}}\bigcap{\gamma_{2}\left( {{〚\left. x_{k}\leftarrow? \right.〛}_{2}^{\sharp}\left( X_{2}^{\sharp} \right)} \right)}} \subseteq {\gamma_{2}\left( X_{2}^{\sharp} \right)}} \\ \bot_{2} & {{otherwise}.} \end{matrix} \right.$

For Y#₂, we basically check whether applying the forget operator to X#₂ intersects γ_(1\2)(X#₁, X#₂), by checking if this newly computed hole is included in the original hole, that is γ₂(X#₂). If yes, Y#₂ is set to ⊥₂. For instance, forgetting x₂ in

${\left( {X_{1}^{\sharp},X_{2}^{\sharp}} \right)\overset{def}{=}{{{\left( {{\left\lbrack {{- 2},2} \right\rbrack \times \left\lbrack {{- 2},2} \right\rbrack},{\left\lbrack {{- 1},1} \right\rbrack \times \left\lbrack {{- \infty},{+ \infty}} \right\rbrack}} \right)\mspace{14mu} {{gives}\left( {{\left\lbrack {{- 2},2} \right\rbrack \times \left\lbrack {{- \infty},{+ \infty}} \right\rbrack},{\left\lbrack {{- 1},1} \right\rbrack \times \left\lbrack {{- \infty},{+ \infty}} \right\rbrack}} \right)}}:{{{since}〚\left. x_{2}\leftarrow? \right.〛}_{2}^{\sharp}\left( X_{2}^{\sharp} \right)}} = {\left\lbrack {{- 1},1} \right\rbrack \times \left\lbrack {{- \infty},{+ \infty}} \right\rbrack}}},{{{\gamma_{1}\left( X_{1}^{\sharp} \right)}\bigcap{\gamma_{2}\left( {{〚\left. x_{2}\leftarrow? \right.〛}_{2}^{\sharp}\left( X_{2}^{\sharp} \right)} \right)}} = {\left\lbrack {{- 1},1} \right\rbrack \times \left\lbrack {{- 2},2} \right\rbrack}}$

which is included in γ₂(X#₂). Forgetting x₁, however, makes Y#₂=⊥₂.

The assignment could be seen as a sequence of multiple basic, already defined, operations. We distinguish two kind of assignments x←e, where e is an arithmetic expression: (I) non-invertible assignments, where the old values of x are lost, such as x←c, c ∈

, and (II) invertible assignments, such as x←x+y. For non-invertible assignment, we have:

${〚\left. x_{k}\leftarrow e \right.〛}_{1{\backslash 2}}^{\sharp}\overset{def}{=}{{{〚{x_{k} = e}〛}_{1{\backslash 2}}^{\sharp} \circ {〚\left. x_{k}\leftarrow? \right.〛}_{1{\backslash 2}}^{\sharp}}.}$

Invertible assignments are defined in a similar manner. It augments first the set of variables by a new fresh variable, say ν, then enforces the test ν=e, and finally forgets x and (syntactically) renames ν to x. Notice that augmenting the set of variables in

₁\

₂ makes the newly added variable, ν, unconstrained in both components, X#₁ and X#₂. We can suppose that such a variable v already exists, and used whenever we have an invertible assignment; hence, we obtain:

${〚\left. x_{k}\leftarrow e \right.〛}_{1{\backslash 2}}^{\sharp}\overset{def}{=}{{{swap}\left( {x_{k},v} \right)}\mspace{14mu} {{{{in}\mspace{14mu} 〚\left. x_{k}\leftarrow? \right.〛}_{1{\backslash 2}}^{\sharp} \circ {〚{v = e}〛}_{1{\backslash 2}}^{\sharp}}.}}$

Template-Based Under-Approximations of Polyhedral

We now develop a new technique to under-approximate holes obtained after linear tests. Holes obtained after non-linear tests are so far reduced to ⊥₂, which is sound. We plan to improve this as a future work. Consider for instance the object ([−2,3]×[−2,2], [−1,1]×[0,1]) . FIG. 5 depicts the exact evaluation of a linear assignment. If we use boxes to encode holes, we need to compute a box inside the white polytope. In FIG. 6, an under-approximation is needed for all convex domains, whereas a non-convex domain such as Interval Polyhedra can express exactly this kind of pattern.

The problem can be seen as follows: given a polyhedron

, we seek to compute a maximal (in a sense to define) inner polyhedron

(could be boxes, zones, octagons, linear-templates, etc. depending on

₂), which obeys the template pattern matrix T.

Let

={x ∈

|Zx≦b} be a non-empty polyhedron, where A is a known m×p matrix, b a known vector of

^(m), and x a vector of

^(p). The inner polyhedron

is expressed in a similar manner:

={x ∈

^(p)|Tx≦c}, where T is a known n×p matrix, and c and x are unknown vectors within

^(n) and

^(p), respectively. The inclusion

⊂

holds if and only if

-   -   ∃c ∈         ^(n) , such that         is consistent, and ∀x ∈         ^(p): Tx≦cAx≦b.

The consistency of

(that is the system admits a solution in

^(p)) discards the trivial (and unwanted) cases where the polyhedron

is empty. For the non-trivial cases, the existence of the vector c and the characterization of the set of its possible values are given by Proposition 3.

Proposition 3. Let

be the set of c such that

is consistent. There exists a vector c ∈

such that

⊂

if and only if there exists an n×m matrix Λ, such that λ_(i,j), the elements of the matrix Λ, are non-negative and ΛT=A. For a given possible Λ, the set c_(Λ) ⊂

is characterized by

-   -   {c ∈         ^(n)|Λc≦b}.

Proof. Let x denote a vector of

^(p), and b denote a known vector of

^(m). Let A and T be two known matrices with p columns and m and n rows, respectively. Suppose that c is such that

is consistent. Therefore, we can assume that

-   -   <t_(i), x>≦c_(i), 1≦i≦n,         where t_(i) denotes the ith row of the matrix T, is consistent.         For a fixed j, 1≦j≦m, the inequality <a_(j), x>≦b_(j), is then a         consequence of the system Tx≦c if and only if there exist         non-negative real numbers λ_(i,j), 1≦i≦n, such that

${\sum\limits_{i = 1}^{n}{\lambda_{i,j}t_{i}}} = {{a_{j}\mspace{14mu} {and}\mspace{14mu} {\sum\limits_{i = 1}^{n}{\lambda_{i,j}c_{i}}}} \leq {b_{j}.}}$

The previous claim of the existence of the non-negative λ_(i,j) is a generalization of the classical Farkas' Lemma. The matrix Λ is then constructed column by column using the elements λ_(i,j), 1≦i≦n for the j th column. Of course, by construction, such a Λ has non-negative elements, and satisfies ΛT=A, and Λc≦b.

On the other hand, if such a matrix exists, and the set {c ∈

^(n)|Λc≦b} is not empty, we have by the fact that Λ has non-negative elements

Tχ≦c

ΛTχ≦Λc.

Therefore, ΛT=A and Λc≦b, gives Ax≦b.

On the Consistency of Tx≦c.

It not obvious in general, given a matrix T, to characterize the set of c such that

is consistent. However, given a vector c, we can efficiently check whether the system is consistent or not using its dual form and a LP solver. Indeed, the system Tx≦c is inconsistent if and only if there exists a non-negative vector λ ∈

^(n) such that T^(t)λ=0 and <λ, c><0, where T^(t) denotes the transpose of T. Therefore, given a vector c, if the objective value of the following problem:

min

λ, c

s.t. T′λ=0   (2)

is non-negative, the system is consistent. Observe that, for simple patterns such as boxes, the characterization of the set of c that makes the system consistent is immediate.

Computing A.

The matrix Λ is built column by column. Let us denote by λ_(—,j) ∈

^(n) the jth column of Λ, by a_(j) ∈

^(p), 1≦j≦m, the jth row of A, by b_(j) ∈

the jth component of b, and by t_(i) ∈

^(p), 1≦i≦m, the ith row of T. The vector λ_(—,j) satisfies Σ_(i=1) ^(n)λ_(i,j)t_(i)=a_(j). To each feasible λ_(—,j) corresponds a pattern

λ - , j := { x ∈ p |  λ i , j > 0  < t i , x > ≤ 0 } ,

which is included in the affine subspace

j  = def  { x ∈ p | 〈 α j , x 〉 ≤ 0 } .

The maximal pattern (with respect to set inclusion) corresponds to λ defined as the solution of the following linear program.

$\begin{matrix} {{\min {\sum\limits_{i = 1}^{n}{\lambda_{i,j}{t_{i}}}}}{{s.t.\mspace{14mu} {\sum\limits_{i = 1}^{n}{\lambda_{i,j}t_{i}}}} = a_{j}}{{\forall{0 \leq i \leq n}},{\lambda_{i,j} \geq 0}}} & (3) \end{matrix}$

Therefore, computing Λ needs solving p instances of the LP (3).

Computing c.

We have already established (Proposition 3) that the vector c verifies Λc≦b. Since A is known, any feasible c (that is such that Λc≦b) that makes the system Tx≦c consistent (the objective value of the LP (2) is non-negative) gives an under-approximation of

that respects our initial template T. Of course, it is immediate to see that the set of c that lies on the boundaries of the feasible region (that is by making Λc=b) gives, in general, a “better” under-approximation than the strict feasible solutions since the saturation makes some of the facets of the inner pattern (

) included in those of the under-approximated polyhedron

. Moreover, in some cases, the saturation gives a unique consistent solution for c. For instance, when we under-approximate a shape

which respects already the pattern

, c is uniquely determined and gives actually b using our technique. In other words, under-approximating an octagon (for instance) with an octagonal pattern gives exactly the first octagon.

Implementation

We have implemented donut domains on top of the known APRON library. The domains

₁ and

₂ are parameters of the analysis and can be specified by the user among already existing APRON domains. The current version uses an enhanced implementation of the set-theoretic operators, mainly based on already existing routines of the underlying abstract domains, as described earlier, and relies on {hacek over (∪)}_(fb) and {hacek over (∩)}_(fb) as fallback operators. This very simple approach allows to build the donut domain without additional effort on top of already existing domains. The analyzed examples (see Table 1) use mainly the absolute value function to avoid the division by zero (widely used technique). The motiv example is the motivating example with its two branches. The gpc code is extracted from the Generic Polygon Clipper project. The examples xcor, goc and x2 are extracted from a geometric object contact detection library.

Division-by-Zero Analysis Results

TABLE 1 WCfS boxes (hole) false alarms motiv(if) dy ≠ 0 dy = 0 0 motiv(else) dx ≠ 0 dx = 0 0 gpc den ≠ 0 den ∈ [−0.1, 0.1] 0 goc d ≠ 0 d ∈ [−0.09, 0.09] 0 x2 Dx ≠ 0 Dx = 0 0 xcor usemax ≠ 0 usemax ∈ [1, 10] 1

The WCfS column (above) indicates the weakest condition that we need to infer to prove the safety of the program. Whenever the negation of this condition is verified by (included in) the donut hole, the program is proved to be safe. The third column shows the inferred donut holes when using a non-relational domain (boxes) to encode holes. As Table 1 shows, our approach permits to catch almost all division-by-zero false positives that classical domains (even non-convex) fail to prove. Here, the use of boxes is sufficient to eliminate almost all false alarms here. In the last example, among the two possible holes, namely usemax ∈ [1,10] and usemax ∈ {0}, we choose by default the one created immediately after the test (usemax>10 or usemax<1). Here the safety property can not be proved with this hole and relies on an earlier (disjoint) hole created by a former test, namely usemax ∈ {0}. We could also choose systematically (as a heuristic) the hole that contains “zero”, which is sufficient here to discard the remaining false alarm. Such a property-driven hole behavior would be an interesting direction for future research.

The proof of the motivating example is really challenging as it requires to handle both the hole that comes from the full-zero-test, together with strict inequality tests and the over-approximation that comes from the join operation. Our technique that consists of relaxing the hole in a convex way before using the fallback operator works here and is able to prove that in both branches the division is safe. In goc example, we can see one interesting ability of donuts domain: when we compute a convex join of two non-overlapping objects, the hole in between is directly captured which permits a better precision. Finally, example x2 needs a precise interpretation of strict inequalities.

Under-Approximation.

We have implemented our technique of Section 3 using the GLPK solver. Some experiments, obtained for randomly generated polyhedra with octagonal template, are shown in FIG. 7. Although all shown polyhedra are bounded, our technique works perfectly well for unbounded shapes. The rate of volume,

$\frac{volT}{volP},$

is used as a metric for the quality of the under-approximation (shown near each pattern in FIG. 7).

All obtained octagons are maximal with respect to set inclusion. It is not clear which choice among many (see the left graph), is the best. Indeed, such a choice depends on the future computations and the properties one would like to prove.

With reference now to FIG. 8, there is shown a schematic block diagram depicting an overview of abstract interpretation applicable to and according to an aspect of the present disclosure. As depicted there, a program under analysis is modeled and an abstract interpretation program analysis is performed. As those skilled in the art now readily appreciate, such abstract interpretation computes an over-approximation of reachable states. Stated alternatively, it computes an over-approximated set of those states that may be reached when the program is executed. Of course, even an over-approximation may be useful to highlight potential errors in the program, such as a null-pointer, buffer overruns, division-by-zero, etc.

While not specifically shown in FIG. 8, to realize an efficient computation , abstraction interpretation generally utilizes computations in convex domains such as intervals, octagons, or polyhedra to compute this over-approximation of the reachable states.

However, and as may be appreciated by those skilled in the art, certain properties of interest sometimes require reasoning over non-convex regions of reachable states. Turning now to FIG. 9, there is shown a schematic which is useful to illustrate certain aspects of the analysis according to the present disclosure.

Notably, sub-figure (a) shows an actual reachable state space as a solid shade. Note that the reachable state space excludes a particular inner unshaded region (maybe an ε-ball around 0 to avoid division-by-zero, for example).

Sub-figure (b) shows an over-approximation of reachable state space as computed by the interval domain (depicted as region in box). Note that the inner region (hole) is within the box and therefore treated as reachable.

Sub-figure (c) shows a more precise over-approximation (that is, the over-approximation is tighter), using the polyhedral domain (depicted within polyhedria). However, even here, the inner region (hole) is regarded as reachable.

Sub-figure (d) highlights one particular incarnation of donut domains according to an aspect of the present disclosure. In particular, it shows an example where both D₁ and D₂ are the interval domain. Notably, we have under-approximateed the inner region (hole) of unreachable states (rectangle in center circle). This allows us to potentially prove the division by 0 as safe, as long as the under-approximation includes 0. Similar to the degree of precision allowed in defining an over-approximation using different domains, we can also trade-off precision of the under-approximation by choosing various domains for the inner region of ‘unreachable states.

In summary, our method over-approximates reachable states, and under approximates unreachable states. Advantageously, we have defined and described a generic donut domain template that can be instantiated appropriately with various domains.

FIG. 10 is a schematic block diagram illustrating an exemplary computer system that when so programmed may execute instructions for performing methods according to aspects of the present disclosure.

Conclusions and Future Work

The donut domains can be viewed as an effort to make some Boolean structure in the underlying concrete space visible at the level of abstract domains as a “set-minus” operator. This allows optimization of the related abstract operators (such as meet and join) to take full advantage of its semantics in terms of excluded states. While powerset domains allow handling non-convex sets, this comes at significant cost. In practice, the full expressiveness may not be needed. We exploit the set-minus operator, which is quite versatile in capturing many problems of interest—division by zero, instability regions in numeric computations, sets excluded by contracts in a modular setting, etc. In the future, we wish to expand the experiments performed using donut domains. Furthermore, other non-convexity issues may be addressed by trying to combine the work on LDDs with insights gained here to allow handling many holes in an efficient manner. Accordingly, the disclosure should be viewed as limited only by the scope of the claims that follow. 

1. A computer implemented method for computer program analysis comprising the steps of: generating an outer convex region of all reachable states for the computer program wherein the outer region (D1) represents an over-approximation of all of the reachable states; generating an inner convex region of all unreachable states for the computer program wherein the inner region (D2) represents an under-approximation of all of the unreachable states; and generating a set of possible program errors using abstract interpretation over the difference between the two regions.
 2. The computer implemented method of claim 1 wherein the under-approximated inner region is instantiated as a powerset domain of an elementary domain.
 3. The computer implemented method of claim 1 further comprising the steps of: constructing a control flow graph of the computer program; propagating region D1 along the control flow graph; propagating region D2 along the control flow graph; determining the differences between the two propagations; and generating a set of reachable states from the difference so determined.
 3. The method of claim 3 wherein said regions are ones selected from the group consisting of: intervals, octagons, and polyhedra.
 4. The method of claim 3 wherein domains are combined for abstract interpretation and said combination is performed according to an operation selected from the group consisting of: join, meet, widening, update functions, and interpretation of tests.
 5. The method of claim 1 further comprising the steps of: determining a maximal inner polyhedron

={x ∈

^(p)|Tx≦c} of a given template matrix T that lies within a given non-empty polyhedron

={x ∈

^(p)|Ac≦b}, by: computing an auxiliary matrix A with non-negative elements and ΛT=A, computing c such that Λc≦b and Tx≦c is consistent, and outputting such inner polyhedron

.
 6. The method of claim 6 further comprising the step of using an LP-solver to find matrix Λ.
 8. The method of claim 6 further comprising the step of determining the saturation of Λc≦b, namely Λc=b.
 9. The method of claim 6 wherein the output polyhedron is used for computer program analysis.
 10. A computer implemented method for determining a maximal inner polyhedron

={x ∈

^(p)|Tx≦c} of a given template matrix T that lies within a given non-empty polyhedron

={x ∈

^(p)|Ax≦b}, comprising the steps of: computing an auxiliary matrix A with non-negative elements and ΛT=A, computing c such that Λc≦b and Tx≦c is consistent, and outputting such inner polyhedron

.
 11. The method of claim 10 further comprising the step of using an LP-solver to find matrix Λ.
 12. The method of claim 10 further comprising the step of determining the saturation of Λc≦b, namely Λc=b.
 13. The method of claim 10 wherein the output polyhedron is used for computer program analysis.
 14. The method of claim 10 wherein the output polyhedron is used for test vector generation.
 15. The method of claim 10 wherein the output polyhedron is used for computer graphics applications.
 16. A computer system comprising program instructions adapted to be executed for computer program analysis, said instructions being stored in computer-readable memory, and when executed by the computer system cause the computer system to be operable to: generate an outer convex region of all reachable states for the computer program wherein the outer region (D1) represents an over-approximation of all of the reachable states; generate an inner convex region of all unreachable states for the computer program wherein the inner region (D2) represents an under-approximation of all of the unreachable states; and generate a set of possible program errors using abstract interpretation over the difference between the two regions.
 17. The computer system of claim 16 wherein the under-approximated inner region is instantiated as a powerset domain of an elementary domain.
 18. The computer system of claim 16 further operable to: construct a control flow graph of the computer program; propagate region D1 along a control flow graph; propagate region D2 along a control flow graph; determining the differences between the two propagations; and generate a set of reachable states from the difference so determined.
 19. The computer system of claim 18 wherein said regions are ones selected from the group consisting of: intervals, octagons, and polyhedra.
 20. The computer system of claim 16 further operable to: determing a maximal inner polyhedron

={x ∈

^(p)|Tx≦c} of a given template matrix T that lies within a given non-empty polyhedron

={x ∈

^(p)|Zx≦b}, by: compute an auxiliary matrix Λ with non-negative elements and ΛT=A, compute c such that Λc≦b and Tx≦c is consistent, and output such inner polyhedron

. 